Practical use of gpgsm for verifying emails

Teemu Likonen tlikonen at iki.fi
Sat Apr 28 18:04:26 CEST 2018


I read email with Gnus (Emacs) and from time to time someone has signed
his mail with S/MIME (X.509) system. My Gnus tries to verify signatures
automatically and it works nicely with PGP/MIME but S/MIME is more
difficult.

When verifying an S/MIME message gpgsm (I think) asks whether I
ultimately trust some certificate authority to certify others and then
asks me to verify that a displayed fingerprint belongs to the authority.
How do I know? (So far I have pressed the "Cancel" button.)

I went to the certificate authority's web page but couldn't find
fingerprints. That's not how CA system usually works anyway. Usually we
are not supposed to go searching the internet. Usually some experts have
taught web browsers or operating systems to automatically trust certain
authorities. So signature verification is transparent.

Any suggestions or information for practically managing S/MIME messages?

-- 
/// Teemu Likonen   - .-..   <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180428/c1cd9ab7/attachment.sig>


More information about the Gnupg-users mailing list